What is Alibaba Cloud Service Mesh - Alibaba Cloud Service Mesh

Alibaba Cloud Service Mesh (ASM) provides a fully managed Service Mesh platform built on Kubernetes. It is compatible with the open source Istio Service Mesh. ASM simplifies service administration, including traffic routing and splitting management between service invocations, authentication security for inter-service communication, and mesh observability capabilities. This significantly reduces development and operations workload.

Product introduction

ASM provides the following basic features:

Protects communication between services using mutual TLS, identity-based authorization, and authentication.
Provides automatic load balancing for HTTP/HTTPS, gRPC, WebSocket, and TCP traffic.
Enables fine-grained control of traffic behavior using rich routing rules, retries, failover, and fault injection.
Supports powerful access control, rate limiting, and other extensible mechanisms.
Provides observability for all traffic within the cluster (including cluster ingress and egress), including default metrics, log collection, and tracing.

Service architecture

ASM consists of two parts: the control plane and the data plane.

The control plane is responsible for reading user configurations and controlling how the data plane processes traffic. The control plane is managed by ASM, making it more stable and efficient than self-built service meshes.
The data plane consists of multiple network proxies that intercept all your network traffic and process it according to the control plane's intent. The data plane proxies are deployed in your cluster.

Data plane forms and modes

ASM supports multiple data plane forms, including ACK managed clusters, Container Compute Service (ACS), ACK Serverless clusters, ACK Edge clusters, and ACK One registered clusters. You can use ASM to manage traffic in various heterogeneous infrastructures.

Important

Starting from February 17, 2025, Alibaba Cloud Container Service for Kubernetes Serverless will close the entry for creating clusters for new users who have not created clusters before. For more information about this adjustment, see [Product Change] Announcement on closing the new creation entry of ACK Serverless clusters for new users.

Currently, ASM supports two data plane modes:

Sidecar mode: In this mode, ASM automatically injects an Envoy proxy into each of your application pods. This Envoy proxy manages all traffic in and out of the pod.
Ambient mode: In this mode, a Layer 4 proxy is deployed on each node, and you can implement Layer 7 proxy functionality by deploying Envoy proxies for namespaces or specific services.

For information about how to choose the data plane mode that suits your needs, see Choose Ambient mode or Sidecar mode?.

Editions

ASM is divided into Enterprise Edition and Ultimate Edition based on different features and support capabilities. These include multi-protocol support and dynamic extension capabilities, fine-grained service governance, a more comprehensive zero trust security system, and continuously improved performance and large-scale cluster support capabilities. These editions lower the barrier to implementing Service Mesh in production environments, suitable for scenarios requiring cross-language interoperability, fine-grained service governance, and large-scale use of Service Mesh in production environments.

Edition		Description
Commercial Edition	Enterprise Edition	Designed for small to medium-scale production. Supports up to 1,000 pods, has enterprise-level enhancement capabilities, with SLA guarantees.
Commercial Edition	Ultimate	Designed for large-scale production. Supports up to 10,000 pods, has enterprise-level enhancement capabilities, with SLA guarantees.

For more information about the features of Enterprise Edition, and Ultimate Edition, see Features.
For information about how to change the specifications of an instance, see Change the specifications of an ASM instance.
For more information about instance specifications, see Commercialization announcement.

Core features

The following table describes the core features of ASM. For more information, see Features.

Feature	Description	References
Full lifecycle management of mesh instances	Fully managed control plane, compatible with Istio community specifications, supporting one-click deployment, upgrade, and deletion operations. Reduces usage and maintenance barriers.	Instance management
Support for multiple infrastructure applications	Support for applications on ACK, ACK Serverless, ACS clusters, edge clusters, and ACK One registered clusters.	Multi-cluster application management
Unified ingress and egress gateways	Provides unified traffic entry and exit points for applications within the mesh. Supports one-click enabling or disabling of mTLS, implementing end-to-end secure encryption and traffic control.	Overview of ASM gateways
Multiple types of traffic management	Support for multi-protocol traffic management, end-to-end canary release, circuit breaking, local rate limiting, slow start warm-up, and traffic fallback capabilities.	Traffic management
Compatible with multiple observability capabilities	Provides mesh diagnostic capabilities, integrates managed tracing, monitoring, and logging services to achieve end-to-end visibility.	Observability management
Non-intrusive zero trust security system	Provides an out-of-the-box, dynamically configurable zero trust security solution, including identity authentication, security certificates, policy enforcement, and visual analytics.	Overview of zero trust security
Extensibility for custom logic	The plugin marketplace includes multiple out-of-the-box extension plugins. Also supports custom EnvoyFilter.	Extension center
Comprehensive ecosystem integration	Support for common GitOps tools and for Serverless and AI services such as Knative and KServe.	Ecosystem integration

Billing

ASM is divided into Enterprise Edition and Ultimate Edition based on different features and support capabilities. Both are commercial editions with different billing standards. For more information about ASM billing, see Billing rules.

Quota limits

You need to understand the following limits before using ASM:

You can create a maximum of 10 Standard Edition + Lab instances. There is no quota limit for Enterprise Edition/Ultimate Edition. To increase the quota, please submit a ticket.
The number of pods for each mesh instance varies based on different ASM instance specifications. For details, see Quotas.

Note

Before using ASM, you need to ensure that you have activated Container Service for Kubernetes (ACK). For information about limitations when using Alibaba Cloud Container Service for Kubernetes clusters, see Quotas and limits.

API support

Currently, ASM supports both Gateway API and Istio API.

Gateway API will be the default API for service mesh in the future. If you are not familiar with Istio API, we recommend you use Gateway API first. If you already have experience with Istio API, you can continue using it.

Gateway API and Istio API have many similarities. Before you start, please note the following points:

In Istio API, Gateway represents gateway rules and is not responsible for deploying gateway Deployment/Service. In Gateway API, the Gateway resource not only configures the gateway but also synchronously deploys Deployment/Service.
In Istio API's VirtualService, all protocols are configured in a single resource. In Gateway API, each protocol type has its own resource, such as HTTPRoute and GRPCRoute.
Gateway API does not yet fully cover all of Istio's features.